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Abstract 

We completely describe a new domain for abstract interpretation 
of numerical programs. Fixpoint iteration in this domain is proved 
to converge to finite precise invariants for (at least) the class of 
stable linear recursive filters of any order. Good evidence shows it 
behaves well also for some non-linear schemes. The result, and the 
structure of the domain, rely on an interesting interplay between 
order and topology. 

Categories and Subject Descriptors D.2.4 [Software/Program 
Verification]: [Validation]; F.3.1 [Specifying and Verifying and 
Reasoning about Programs]: [Mechanical verification] ; F.3.2 [Se- 
mantics of Programming Languages]: [Program analysis] 

General Terms Theory, Verification 

Keywords Abstract interpretation, numerical programs 

1. Introduction 

An everlasting challenge of the verification of programs involving 
numerical computations is to efficiently find accurate invariants for 
values of variables. Even though machine computations use finite 
precision arithmetic, it is important to rely on the properties of 
real numbers and estimate the real number values of the program 
variables first, before even trying to characterize the floating-point 
number invariants. We refer the reader to |9|, which describes 
a way to go from this to floating-point analysis, or to the static 
linearization techniques of 1 15 1. 

In 1 9] as well, some first ideas about an abstract interpretation 
domain which would be expressive enough for deriving these in- 
variants, were sketched. It relied on a more accurate alternative to 
interval arithmetic: affine arithmetic, the concretization of which is 
a center-symmetric polytope. But, contrarily to existing numerical 
relational abstract domains with polyhedral concretization (polyhe- 
dra |4| of course, but also zones, octagons 1 16| etc.), dependencies 
in affine arithmetic are implicit, making the semantics very eco- 
nomical. Also, affine arithmetic is close to Taylor models, which 
can be exploited to give precise abstractions of non-linear compu- 
tations. 



* This material is based upon work supported ANR project EvaFlo, and 
ITEA 2 project ES_PASS. 
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But these advantages are at a theoretical cost: the partial order 
and the correctness of the abstract computations are intricate to find 
and prove. In this article, we construct a "quasi" lattice abstract 
domain, and study the convergence of fixpoint computations. We 
show how the result of the join operators we define can be consid- 
ered as a perturbation of the affine forms, and thus how the fixpoint 
iteration can be seen as a perturbation of the numerical schemes we 
analyze. A crucial point is that our abstract domain is both almost 
a bounded complete lattice, and an ordered Banach space, where 
approximation theorems and convergence properties of numerical 
schemes naturally fit. As an application of the framework, we prove 
that our approach allows us to accurately bound the values of vari- 
ables for stable linear recursive filters of any order. 

Contributions This article fully describes a general "complete- 
ness" result of the abstract domain, for a class of numerical pro- 
grams (linear recursive filters of any order), meaning that we prove 
that the abstract analysis results will end up with finite numerical 
bounds whenever the numerical scheme analyzed has this property. 
We also show good evidence that, on this class of programs, we can 
get as close an over-approximation of the real result as we want. 

The abstract domain on which we prove this result is a gener- 
alization of the one of [9]; better join and meet operators are de- 
scribed, and the full order-theoretic structure is described (sketches 
of proofs are given). 

A new feature of this domain, with respect to the other numeri- 
cal abstract domains, is that it does not only have an order-theoretic 
structure, but also a topological one, the interaction of which plays 
an important role in our results. The domain is an ordered Banach 
space, "almost" a Riesz space, which are structures of interest in 
functional analysis and optimization theory. This is not just a coin- 
cidence: correctness of the abstraction relies on the correctness of 
functional evaluations in the future, i.e. continuations. This opens 
up promises for useful generalizations and new techniques for solv- 
ing the corresponding semantic equations. 

Contents Section[2]introduces the general problematic of finding 
precise invariants for numerical programs, and defines an interest- 
ing sub-class of problems, that is linear recursive filters of any or- 
der. We also introduce the classical affine forms 1 18] introduced in 
numerical mathematics, on which our work elaborates. 

Sectionlslextends these affine forms to deal with static analysis 
invariants. We show that the set of such generalized forms has the 
structure of an ordered Banach space, which almost has least upper 
bounds and greatest lower bounds: it actually only has maximal 
lower bounds and minimal upper bounds, in general. An equivalent 
of bounded completeness is proved using the interplay between the 
partial order and the topology (from the underlying Banach space). 

We develop particular Kleene iteration techniques in Section 
PI With these, we prove that we can find finite bounds for the 
invariants of .stable linear recursive filters. We also show evidence 
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that these abstractions give good result in practice, using our cun"ent 
C implementation of the abstract semantics. 

Finally, we give hints about current and future work in Sections 
|5]and[6] 

2. Problematic 

We are interested in numerical schemes in the large. This includes 
signal processing programs, control programs such as the ones used 
in aeronautics, automotive and space industry, libraries for com- 
puting transcendental functions, and as a long-term goal, simula- 
tion programs (including the solutions of ordinary or partial dif- 
ferential equations). The context of our work is the determination 
of the accuracy reached by the finite precision (generally IEEE 
754) implementation of these numerical schemes, see for instance 
15] l6l 171191 II 21 . But it is already a difficult problem for these nu- 
merical programs, to determine run-time errors (RTEs) statically, 
just because the bounds of the results of numerical computation are 
hard to find. These bounds are not only hard to find for floating- 
point arithmetic, but also for real arithmetic, which is the first crit- 
ical step towards solving the complete problem. 

In the sequel, we are describing a precise abstract domain of 
afftne forms for hounding real number calculations, in the sense of 
abstract interpretation /JJ/. 

We give in Section [2!T] a class of simple programs that are perva- 
sive in the field of numerical computing: linear recursive filters of 
any order. They are encountered generally in signal processing and 
control programs, but encompass also all linear recurrence schemes 
that can be found in simulation programs. We will study extensively 
the behavior of our abstract domain on such programs. 

Of course, we are also interested in non-linear schemes, and 
already studied some coming for example from the solution of a 
conjugate gradient algorithm, or algorithms for estimating tran- 
scendental functions. And, as we will see in the description of our 
abstract semantics, one of the interesting points of affine forms is 
that they behave well also for non-linear computations, in a much 
more precise and natural way than with classical polyhedra, or 
zones/octagons. But we have not reached yet the point in the the- 
ory where we can state as precise statements as for the analysis of 
linear dynamical systems, although strong practical evidence show 
that our method gives very good results as well for some non-linear 
dynamical systems (see for instance t9l ll2l for some examples that 
were already solved with a much coarser abstract domain than the 
one of this article). 

2.1 A class of numerical schemes of interest 

Let us consider the following class of program, that we will study 
in depth with our abstract domain in Section[43| 



[1] 



filter (float x[n+l]) 
real e [n+1] ; 
e [*] = input (m,M) ; 
while (true) { [2] 
e[n+l] = input (m,M); 
x[n+l] = a[l]*x[l]+a[2]*x[2] + . . .+a[n]*x[n] 

+ b [1] *e [1] +b [2] *e [2] + . . . +b [n+1] *e [n+1] ; [3] 
x[n] = x[n+l]; ... x[l] = x[2]; [4] } } 

In the program above, a[] is an array of n constants ai, i = 
1, . . . ,n (indices of arrays start at 1), b[] is an array of n + 1 
constants bi, i = l,...,n+l. M and m are parameters, giv- 
ing the bounds M and m of the successive inputs over time. 
For purposes of simplicity, as was discussed in the introduction, 
types of variables are real number types. We use the notation 
e [*] =input (m,M) ; to denote the sequence of n + 1 input assign- 
ments between m and M. At iterate k of the filter, variable x[i] 




Figure 1. A run of the filter ex- Figure 2. Min and max over 
ample. the iterations. 



represents the value Xk+i of the output. Our main interest here is 
in the invariant at control point [2] (control points are indicated as 
numbers within square brackets). 

The program filter describes the infinite iteration of a filter of 
order n with coefficients ai, . . . ,a„,bi, . . . , fen+i and a new input 
e between m and AI at each iteration : 



Xk+n + l = 2__, 0,i^k + i + 2_^ ^jCk+j, 

Starting with initial conditions xi , 
We rewrite |T| as: 

^fc+i ~ AXk + BEk+i, 
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Now, of course, l|2l has solution 

fc 



'BE, 



where X\ is the vector of initial conditions of this linear dynam- 
ical system. If A has eigenvalues (roots of s" — X]"^! '^i^'~^) 
of module strictly less than 1, then the term A^^^X\ will tend 
to zero when k tends toward infinity, whereas the partial sums 
^^_j^ A^~^BEi will tend towards a finite value (obtained as a con- 
vergent infinite series). 

Example 1 . Consider the following filter of order 2 {see HIDI ): 

Xi = 0.7ei — 1.3ei_i + l.lei_2 + 1.4xi_i — 0.7xi-2, 

where d are independent inputs between and 1. A typical run 
of this algorithm with Cj = | (for all i) and a;o = 0, a;i = 
converges towards 0.8333... stays positive, and reaches at most 
1.1649 (its dynamics is shown in FigureU). 



2.2 Classical afflne arithmetic 

An affine form is a formal series over a set of noise symbols Si 



+ E' 



x = ao + 7 .oiiEi, 

i = l 



with of G R. 
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where 



11 X 29 

Figure 3. Concretization is a center-symmetric polytope 



Let AM denote the set of such affine forms. Each noise sym- 
bol £i Stands for an independent component of the total uncertainty 
on the quantity x, its value is unknown but bounded in [-1,1]; the 
corresponding coefficient of is a known real value, which gives 
the magnitude of that component. The idea is that the same noise 
symbol can be shared by several quantities, indicating correlations 
among them. These noise symbols can be used not only for model- 
ing uncertainty in data or parameters, but also uncertainty coming 
from computation. 

When the cardinal of the set {af 7^ 0} is finite, such affine 
forms correspond to the affine forms introduced first in 1181 and 
defined for static analysis in |9| by the authors. 

The concretization of a set of affine forms sharing noise symbols 
is a center-symmetric polytope, which center is given by the ao 
vector of the affine forms. For example, the concretization of 

X = 20 - 4ei + 2£3 + 3£4 
y = 10 - 2ei + £2 — £4 

is given in FigurelS] 

AR is a R-vector space with the operations + and x : 

A X (aS + Y,Zi "f £>) = Aag + Y.T=i Aaf e« 
A sub- vector space ARi of AR can be classically endowed with 
a Banach space structure, using the l\ norm 



ii-Ei 



for the elements x such that the above sum is finite. 
We define the projection 



TTL 



(*) = E' 



and the associated semi-norm 



L = IkL(^) 



X\ 



We also define ||a;||^ = \a\ 

Let us come back now to the linear recursive filters of Section 
|2.1| For simplicity's sake, suppose eu+n+i ~ Sk+n+i, so the 
Ek+n+i are independent inputs between and 1. As we will see 
later on, but as should already be obvious because of the definitions 
of sum and product of affine forms by a scalar, the semantics, using 
affine forms, of the completely unfolded filter program exactly 
gives, at unfolding k: 



Xk^A" 



'X, 



E^" 



'BEi 



E,= 



£i — n 
£i-n + l 

£i 



and Xi are the obvious affine forms vector counterparts of Xi . 

This means that in the case A has complex roots of module 
strictly less than 1, the affine forms (with a finite number of Si) 
giving the semantics of values at unfolding fc, converge in the l\ 
sense to an affine form with infinitely many noise symbols. 

Example 2. Consider again the filter of order 2 of Example U] 
We supposed that the successive inputs e^ are independent inputs 
between and 1, so that we can write e^ = | + |£i+i (with 
different noise symbols at each iterate), and xo = xi = 0. For 
instance, if we compute the affine form after 99 unfolds, we find: 



:r99 = 0.83 + 7.81e~^£i 

— 0.16£99 +0.35£l00 



2.1e-*£2 - 1.58e-*£3 + . 



whose concretization gives an exact (under the assumption that 
the coefficients of the affine form are computed with arbitrary 
precision) enclosure of Xqcj : 

X99 C [-1.0907188500,2.7573854753]. 

The limit affine form has a concretization converging towards (see 
Figure^: Xoo = [-1.09071884989..., 2.75738551656...]. 

Unfortunately, if asymptotically (i.e. when k is large enough), 
the concretization of the affine forms Xk converges to a good 
estimate of the values that program variable x can take (meaning, 
after a large number of iteration k), this form is in no way an 
invariant of the loop, and does not account for all values that this 
variable can take along the loops. 

Example 3. This can be seen for the particular filter of order 
2 of Example [7] In Figure [2] the reader with good eyes can spot 
that around iterations 8-10, the concretization of x can go above 
2.75738551656..., which is the asymptotic supremum. Actually, the 
sup value is 2.82431841..., reached at iteration 8, whereas the 
infimum is -1.12124069..., reached at iteration 13. 

The aim of this paper is to describe a suitable extension of 
these affine forms that can account for such invariants. 

3. An ordered Banach space of generalized affine 
forms 

We now extend our Banach space of affine forms in order to repre- 
sent unions of affine forms, as a. perturbed affine form. We consider 
Ai = ARi © R and write these new affine forms as: 



X I \ ^ X I 03 

= Qq + > ^ Q, £» + /3 



eu 



Norms (.1 are extended over this new domain in an obvious manner. 
We now have ||£||^ = [agl + ||f||^ + \P'-'\. 

Remark: In the rest of this section, unless otherwise stated, we 
restrict the study to elements in the cone A+ of Ai whose elements 
x have a positive j3^ . We will sketch some ways to extend the 
results obtained, and their meaning, for all of Ai, in Sections [3.5.2| 
and|5] 

We first give concrete semantics to these generalized affine 
forms in Section |3.1[ then we give in Section |3.2| the abstract 
transfer functions for arithmetic expressions. The counterpart of 
the inclusion ordering, the continuation ordering, is defined in 
SectionjJjj The main technical ingredient that will allow us to find 



2008/7/18 



effective join and meet operations in Section [33| is the equivalence 
between this seemingly intractable ordering, and an ordering with 
a much simpler definition, the perturbation ordering, see Theorem 
\T5\ Finally we prove in Section ^A\ that these generalized affine 
forms also have the structure of an ordered Banach space. This 
will be useful for proving convergence results with our iteration 
schemes in Section 1431 

3.1 Concrete semantics of expressions and concretization 
function 

Definition 4. We define the concretization function 7 : A+ — > 
IR in intervals as fiAlows, for x — Uq + X^i^i ^^i^i + P^Su-' 

7(x) = K-p||^-r,aS + ||x||^+/?n 

whose lower (respectively upper) bound corresponds to the infi- 
mum (respectively supremum) of the affine form x seen as a func- 
tion from £1 G [-1,1] to E. 

Let Var be the set of program variables. An abstract environ- 
ment is a function a : Var -^ A+. We write Var for the set of such 
abstract environments. The fact that the affine forms representing 
the variables share some common noise symbols can be expressed 
in the joint concretization, also denoted by 7, of a (we suppose 
here that Var is finite and equal to {xi , . . . , Xk})'- 



7((t) = 




,Xk) I 3il,...,tn, 

•,^.. G [-1,1], 



-1,1] 



a, 



+E:^i"ri«+/?"^' 



= «S'=+E.^i«r'=i.+r 



Examples. Consider 



X 


= 1 + ei +£2 +£(7 


y = 


-- 2 - £1 + 2£2 + ec7 



Their joint concretization is the inner polyhedron of Figure^ 

Seeing affine forms x as functions of Ei and eu, we define the 
concrete semantics of arithmetic operations +, — and x on affine 
forms, with values in the set of subsets of R*", as follows. We 
note i(fi, ... ,i„,. .. ,Ma;), for ii,. .. ,f„, ... ,Ua; £ [-1,1], the 
application x, seen as an affine function of £1, ... , £„, . . . , £„, to 

t-l , • . . , tn , . . . , Ux . 

The concrete semantics of i: + j/ in R is now 
Imi + y = {x{ti,...,tn,...,Ux) + y{t\,... ,tn,...,Uy) 

tl,...,t„,...,Ua:,Uy G [-1,1]} 

For —X, it is 

Im — £ = {—x{tl,...,tn,---,Ux) 

I ti,...,t„,.. .,Ux G [-1,1]} 
Finally, the concrete semantics of x x y is 
Imxxy = {x{ti,...,t,^,...,Ux) X y{ti, 



|ii 



1 ''71 



,uye [-1,1]} 



We are going to give an abstract semantics for +, 
next section. 



and X in 



3.2 Abstract interpretation of simple arithmetic expressions 

Let Expr be the set of polynomial expressionsj i.e. expressions 
built inductively from the set of program variables Var, real number 
constants, and operations +, - and x . We now define the r espective 
operators +, — and x (extending the ones of Section : 



2.2 1 



Definition 6. 

x+y = ag + Qg + J^-^(af + a^)£, + (/3-+/3^)£c, 
—x = — ao — Z^i^i Qi Ei + P £[/ 

' Nothing prevents us from defining abstract transfer functions for other 
operations, such as ^, sin, acos etc. as affine forms are naturally Taylor 
forms. This is not described in this article, for lack of space. 



(note that the sign + in +f3^eu is certainly not a typo). And we 
definetnor affine forms x and y having a finite number of non-zero 
cti coefficients (we call them affine forms with finite support) 



X y 



ixy = qSq^; + ^ (Qoaf + a? Q:J^)£i+ ^ 

i — 1 i,fc^l 

00 

j=o 

where £/ is a symbol which is unused in x nor in y {"fresh noise 
symbol"). 

Lemma 7. Wfe have the following correctness result on the ab- 
stract semantics of expressions: 

Im X + y C ^(x+y) C 7(3;) + 7(y) 

Im — x C 7(— x) C — 7(y) 
Im X X y C 'y(xxy) 

where + and — on the right hand side of inequalities above are the 
corresponding operations on intervals, and the last inclusion holds 
only for affine forms with finite support. 

Sketch of proof. This is mostly the similar classical result 
in affine arithmetic |18|, and easily extended to su symbols and 
infinite series (convergent in the £1 sense). D 

3.3 The continuation and the perturbation ordering 

The correctness of the semantics of arithmetic expressions defined 
in Section [T2I and more generally of the semantics of a real lan- 
guage (Section |4.2^ relies on an information ordering, which we 
call the continuation ordering, DefinitionIS] Unfortunately, its defi- 
nition makes it difficult to use, and we define an a priori weaker or- 
dering, that we call perturbation ordering. Definition and Lemma 
[9] that will be easily decidable, and shown equivalent to the con- 
tinuation ordering (Proposition! 13[). The perturbation ordering has 
minimal upper bounds, but not least upper bounds. A simple con- 
struction will allow us to define in Section 13.61 a lattice with a 
slightly stronger computational ordering, based on the perturba- 
tion ordering. 

Definition 8 (continuation order). Let cti and CT2 be two ab- 
stract environments. We say that cti ^ CT2 if and only if for all 
e G Expr 

7|e]]CTi C 7[e]CT2 
We naturally say that x ^ y if and only if 

■y[eja[u «- x] C jleja[u «- y] 

for all e G Expr and all o G Var (and for some u G Var). 

Definition & Lemma 9 (perturbation order). We define the fol- 
lowing binary relation < on elements of Ki 

x<y<^\\x-y\\^<l3^ -P\ 

Then < is a partial order on Ai. 

We extend this partial order componentwise to abstract envi- 
ronments as follows: for all cti , CT2 : Var -^ Ai, 

CTi < CT2 <4> Vx G Var, a\ (x) < CT2 (x) 

Sketch of proof. Reflexivity and transitivity of < are trivial. For 
antisymmetry, suppose x < y and y < x, then we have 

\\x~y\\A < /3"-r 
\\£-y\\A < /3"-/3" 

- Better abstractions are available, but make the presentation more complex, 
this is left for the full version of this article. 
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This implies that both /J" — jS^ and P^ — /3^ are positive, hence 
necessarily zero. Hence also ||a; — y||^ =0 meaning -kaS: = t^aV- 
Overall: x = y.'Oi 

Now, we prove intermediary results in order to prove equiva- 
lence between the two orders above. Half of this equivalence is 
easy, see Lem ma|10| The other half is a consequence of LemmafTT] 
and of Lemma|12| TheoremfTSJis the same as Proposition [13] not 
just for individual affine forms, but for all abstract environments. 

Lemma 10. x <y ^ x <y 

Proof. Given X and y in Ai, consider the expression e = u — v 
and the environment a such that (j{v) — 7rL{y) + Oq. We have 
7[e][M ^- x] C 7|e](T[u ^- y], which means: 

["0 - "o - ll^:^ - vWl " Z?"", Qo - Qo + W^ - vWl + P""] 

Thus we have 

aS-ag < -||x-^/||^+/3^-/3^ (3) 

«S-«i^ > \\x-y\\^ + l3^-l3\ (4) 

Inequality l[4l is equivalent to 

ag-ag < -\\x-y\\^+py~p\ 

hence together with inequality pj 

\al-al\<^\\x-y\\^+(5^^l3^, 

this exactly translates into x < j/. D 

Lemma 1 1 . For all x,y £ Ai, x < y implies "/{x) C 7(y). 
Proof. We compute: 

sup7(j/) -sup7(x) = al-ao + ||y||^ - \\x\\^ + f3^ - p"" 

Using the triangular inequality ||a;||^ < \\x — j/||^ + ||j/||^, and 
l|a; — uWa < /3^ — i^"", we write: 

sup7(y)- sup 7(f) > ag-ag- ||x-y||^+/3"-/3^ 
> al-a^o + K-ao\>0 

and similarly for the inf bound of the concretization. D 

Notice that the converse of Lemma [TTjis certainly not true: just 
take X = 1 + El and x' = 1 + £2. It is easy to see that x and x' are 
incomparable, but have same concretizations. 

Lemma 12. +, — and X are increasing functions on (A+, <). 

Proof. We have easily, for x < y and z G A+: 

\\x+z~y+z\\A = P - ylU < Z?'' - r = /3^+" - r+^ 



'VWa 



P - ylU < z^'' - r = /?""- r 



Now: 



py 



\\xxz-yxz\\^ = PIUP-ylU (5) 

< p||^(/3^-/3-) (6) 



P'{\\y\\A-m\A+P'-n 

But X < y so py - P'^ > \\y - f ||^ > ||f ||^ - \\y\\ ^ the last 
inequality being entailed by the triangular inequality. Thus, 



py 



-/3" 



> 



.{py-Pn 



which, by combining with inequality l|6l, completes the proof. D 
Proposition 13. £ < y if and only ifx < y 




Figure 4. Joint concretization of ExampleB] included in the joint 
concretization of Example|14| 



Sketch of proof. We know from Lemma[TO]that x ^y impUes 
X < y. Now, let e £ Expr, and suppose x < y. We reason by 
induction on e: the base case is constants and variables (trivial). 
A consequence of Lemma 



12 



is that for all z G 



x+z < 



y+z, —X < — y and xxz < yxz. By induction on the syntax of 
e, we then have |e](T[u ^ x] < [ejo-fit ^- y]. This implies by 
LemmafTTIthat 7|e]cr[M ^ x] Q 7[e](7[ii ^- y], hence x ^ y.D 

Finally, we can prove the following more general equivalence, 
which is nothing but obvious at first. The example below shows the 
subtlety of this result. 

Example 14. To illustrate one of the aspects of next theorem, that 
is, X < x' implies that any joint concretization of x' with other 
affine forms, (say just one, y, here), contains the joint concretiza- 
tion ofx with y, take again x as in Example^and 



jEi + £2 + 2ec 



Of course, x < x'; Figure m shows the inclusion of the joint 
concretization of (x, y) in the joint concretization of (x' , y). Note 
that several of the faces produced are fairly different. 

Theorem 15. Let a-i, 02 be two abstract environments, then ui < 
CT2 if and only ifui ^ o"2 

Sketch of proof. It can be shown first (classical result in affine 
arithmetic |18|), that 7(0-2) is a polyhedron (a particular kind, 
called a zonotope). It means that it can be equivalently described 
by a system of affine constraints {j — 1, . . . , fc): 



E 



aix < y 



aieVar 

Consider the expressions (in Expr): e-' = X^^^gVar '^a:^ ~ 
V . We know that for all x G Var, oi(x) < (72(2;), hence by 



Proposition 13 cri{x) ^ 0-2(2;). This entails, by induction on Var, 



that 7[e-']oi C 7|e-']o2. Thus the constraint X]i,cVar '^^^ — ^"' '^ 
satisfied by elements of 7(01), by Lemmap] So 7(01) C 7(02). 

Let e be any expression in Expr-. TEe result follows from 
Proposition! 13|and ^^^ result above, by induction on e. 

3.4 Ordered Banach structure 

The aim of this section is to prove Proposition [T6] This will be 
central to the proofs in Sections [3.6| and[4l 

Proposition 16. (Ai, <) is an ordered Banach space. 

Sketch of proof. First, we show that the partial order < of 
Definition and Lemma[9]makes Ai into an ordered vector space. 

For showing this, we have to show compatibility of < with 
the linear structure, i.e., for A > and x < y, and for all z: 
x + z < y + z, Xx < Ay, and —y < —x, which is immediate 
verification. 
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The only remaining property to prove is that < is closed in 
Ai X Ai, in the product topology, Ai being given the Banach 
topology of the l\ norm. Suppose a;„ converges towards x as n 
goes towards oo, in the sense of the i\ norm, and suppose for all n, 
Xn < y. Then 

\\y-x\\^ < \\y~x„\\^ + \\x„-x\\^ 

< TTu{y) -TTuiXn) + ^ 

for all e > and n > N{e).By continuity of nu, we thus know 
that there exists K{e) such that for all n > sup(A'^(e), K(e)): 



\\y- 



< 
< 



\y- 



+ \\x„ 



nu(y) - TTu{x) + e 



This concludes the proof. D 

A different way of stating that (Ai, <) is an ordered vector 
space is to introduce the subset C of Ai such that 

x<y<^y — xeC, 

and show it is indeed the cone of <, see 1 1 1. We see that 



C^{x 



</3^}, 



This is the analogue of the Lorentz cone in special relativity theory, 
but with the l\ norm instead of the i.2 norm. 

To use the vocabulary from relativity theory, identifying the AR 
part with the space coordinates and the /3 coefficient with the time 
coordinate, < is the causal order and x < y if the space-time 
interval [x, y\ is time-like or light-like, whereas x > y \f [x, y] 
is space-like or light-like. Other considerations, using domain- 
theoretic methods, on the causal order in the case of the £2 Lorentz 
cone can be found for instance in 1 14|. 

3.5 The quasi lattice structure 

We will show in this section that (Ai,<) is almost a bounded 
complete partial order (bcpo). It is not a bcpo because there is not 
in general any least upper bound. This is a consequence of 1 13J: as 
the cone C of our partial order has 2" generators (the generators 
of the polyhedron which is the unit 11 ball), it cannot be simplicial, 
hence (Ai , <) is not a lattice. Instead, there are in general infinitely 
many minimal upper bounds, which will suffice for our semantics 
purposes. We prove furthermore that many bounded subset of Ai 
("enough" again) admit minimal upper bounds. 

We first recall the definition of a minimal upper bound or mub 
(maximal lower bounds, or mlb, are defined similarly): 

Definition 17. Let \~be a partial order on a set X. We say that 
z is a mub of two elements x,y of X if and only if 

• z is an upper bound of x and y, i. e. x IZ z and y Q z, 

• for all z' upper bound ofx and y, z' iZ z implies z = z' . 

We note that for the order <, we have a very simple characteri- 
zation of mubs, if they exist (proving existence, and deriving some 
formulas, when available, are the aims of the section to come). 

Lemma 18. Let x and y be two elements of Ai. Then z is a mub 
ofx and y if and only if 

• X < z and y < z, 

• /3^ is minimal among the /3*, for all t upper bounds ofx and y. 

Proof. Suppose we have z such as defined above. Take any upper 
bound i ofx and j/ and suppose t < z. Then: p — t||^ < /3^ — /?*. 
Hence, /3^ > /3*. But by hypothesis, (3" is minimal among all 
upper bounds, so 13" = /3*. Then this implies ||i — i||^ = so 
7r,4(5) = 7rA(f) as well, hence z — t.O 

In what follows, we will need an extra definition: 



Definition 19. Let x and y be two intervals. We say that x and 
y are in generic positions if whenever x Q y, inf x = inf y or 
sup X — sup y. 

By extension, we say that two affine forms x and y are in generic 
position when y{x) and ^{y) are intervals in generic positions. 

3.5.1 The join operation 

For any interval i, we note mid{i) its center. Let of A a^ denote 
the minimum of the two real numbers, and af V a^ their maximum. 
We define 

argmin ja| — {a £ [oi A of, ai V af ], \a\ minimal} 

argmax |a| — {a £ [a^ A of, a^ V af ], |q| maximal} 

Proposition 20. Let x,y G Ai. There exist minimal upper 
bounds z of X and y if and only if 

\\x~y\\A>\P''-n (V) 

Moreover, the minimal upper bounds, when they exist, all satisfy 



P" 



'-[\\x-y\\^+f3-+n, 



oil \a\< "i < a? V a\, Vi > 0, 

and they are such that ||x — i||^ — fi" — (3^ and \\y — z\\j^ 
/3" - /?". 



(8) 

(9) 



Proof. We first characterize P" by expressing x < z and y < z: 

\\£-y\\A< P - i|U + ||y - i|U < /3^ - /3" + /3^ - P". 

The smallest possible /3^ thus is /3^ = |(||x - i/||^ + /J"^ + /3"). 
Let us now characterize solutions with such a /3^, they satisfy: 



<2/?^-/?^-/3^ = ||x-y|i 



A' 



+ l|y- 



l|a:^-y|lA' 



which is 



\\x-z\\A + \\y- 

thus implying that II X - ^^ ,^ ^^ ^ „,,^ 

equivalent to (|9b. Also, these solutions are such that ||x — 2 
/3^ — P^ and \\y — z\\^ — /3^ — /?^. Thus, there exist solutions only 
is /3^ - /3^ > and /9^ - /?'' > 0, and the combination of these 
two equalities, with /3^ defined by llsl, is equivalent to (jTl. 

Let us now check that there exist minimal upper bounds under 
this assumption : we must prove that if iItI holds, there exists 2 
satisfying (Isj and ^ such that 



\\x-y\\ 



\\x-y\\ 



\\A = ^w''-n- 



First part of this equality is always satisfied when ([9l holds. Second 
part is about the existence of solutions to /(£) = 2||y — 2||^ — 
\\x - vWa + P^ - P"" =0. Using 0, we have f{y) < and 
/(x) > 0, so there exists indeed such minimal upper bounds z 
when (|7j is satisfied. D 

Example 21. Take x — ei and y — 2eu, condition (f^ is not 
satisfied, so there exists no minimal upper bounds. Indeed, minimal 
upper bounds would be z = a + 6ei + 1.5, with < a < 
and < 6 < 1. And expressing \\x — 2||^ — P" — 1.5 gives 
b = —0.5, which is not admissible (not in [0,1]). 

We note that when x and y do not have eu symbols, there always 
exist minimal upper bounds. In the case when they do not exist, we 
will use a widening introduced in Definition|32| 

Example 22. Take x = 1 + ei arul y = 2ei. We have 7(x) = 
[0, 2] and 7(1/) ~ [—2, 2], so x and y are in generic positions. 
Minimal upper bounds z ofx and z are 

z = a + bei -^ eu, 
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where \\x — £||^ — ||y — S||^ = /3^. This implies a ~ h — —1, 
with < a < 1, tind 1 < & < 2. Among these solutions, we find a 
unique one that minimizes the width of the concretization, by taking 
fe = 1 and thus a = 0. This solution satisfies 7(z) ~ 7(a;) U 7(y), 
ao(= a) — 'mid{j{x) U 7(2/)) and a\{= b) — argmin 

I Q I . In Proposition 26 we show that this is a general result when x 
and y are in generic positions. 

Example 23. Now take x = 1 + e\ and y = 4ei, this time 7(0;) 
and j{y) are not in generic positions. Minimal upper bounds z are: 

z = a + bei + 2eu, 

where a — b = —2, < a < 1, and 1 < b < A. Now, 
let us minimize the width of the concretization as in the previ- 
ous example. The problem is that we cannot choose in this case 
b = argmin \a\ — 1 because then the value of a (-1) de- 

CK?AaF<a<a?VQF 

duced from a — b = —2 is not admissible (it is not beween and 
1). The solution minimizing the width of the concretization is in fact 
z = 2ei + 2eu, and it is such that otf,(= a) = mid{'y{x) U 7(3/)) 
and 7(2) = 7(3;) U 7(j/). 

We now give an intuition on the general case by taking examples 
with several noise symbols. 

Example 24. Take s = 3 + ei + 2e2 and y = 1 — 2ei + £2. 
We have 7(3;) — [0, 6] and 7(3}) — [—2, 4], 'y{x) and 7(1/) are 
in generic positions. Minimal upper bounds are z = a + bei + 
ce2 + 3eu, where a + fe + c = 3, l<a<3, —2 < & < 1, and 
1 < c < 2. Among these solutions, we can still find a unique one 
that minimizes the width of the concretization, taking a = 2, b — 
and c = 1: z = 2 + £2 + Seu- 

Example 25. Take £ = 1 + ei + 2e2 + es and j/ = — 2 — 6ei + 
£2 + 2e3. We have 7(2:) = [—3, 5] and 7(y) = [—11, 7], so here 
y{x) and 7(j/) are not in generic positions. Minimal upper bounds 
are z = a + bei + c£2 + dea + 6£u, where a + b + c — d = —3, 
—2 < a < 1, —6 <b<l, l<c<2 and 1 < d < d. Again, as in 
Example \23\ minimizing the concretization ofjz by minimizing the 
absolute value of b, c and d does not give an admissible solution 
(when b — 0, c = 1, d = 1, relation a + b + c — d = —3 
gives a — —3 which is not admissible). But, as the minimal 
concretization for z is in any case 'y(x)U'y{y), we can try to impose 
it. This gives a = mid('y{x) U 'y{y)) = —2, and an additional 
relation —2 + |6|+c + d + 6 = 7. 

All solutions z = —2 + tei + c£2 + rfea + &£u, with —6 <b<l, 
l<c<2,l<d<2,\b\+c + d = Zandb + c-d = -l 
are minimal upper bounds with minimum concretization, and there 
are an infinite number of them, we can choose for example z = 
— 2 — ei + £2 + £3 + 6e(7, or z = —2 + £2 + 2e3 + Qeu,, etc. 

Proposition 26. Let x,y £ Ai, such that holds. If'y{x) and 
"f{y) are in generic positions, then z defined by ([ml and 

al = mid(-i(x) U 7(y)) 

af = argmin jaj, VJ > 1 

is the unique minimal upper bound ofx and y whose concretization 
is the union of the concretization ofx and y. 

If"f{x) and y{y) are not in generic positions and "/{x) C ^(y) 
(we get symmetric properties when 7(1/) C jix)), then all z 
satisfying (IS}, 1^, and 

al = mid{j{x) U 7(1/)) = ag 

cti < "i < or < Oi < af, Vi > 1 (10) 

are minimal upper bounds with concretization the union of the 
concretization ofx and y. 



Indeed, the solution with minimal concretization is particularly 
interesting when computing fixpoint in loops, by preserving the 
stability of the concretizations of variables values in iterates, as we 
will see in Theorem 14 II 

Sketch of proof. We want to find of such that the concretiza- 
tion is the smallest possible, with the above conditions still holding. 
For that, we have to minimize jaf | with constraints ^, we thus set 



- argmin 



\a\. \fi > 1 



For this choice of the af , then for all i > 1, we can prove the 
two following properties: 



Icvj - a^\- \ai - a^\ = \ai 



l^ii 



/I X \ , I V \ 



(11) 



(12) 



We still have to define oq- let us now, using ||a; — £||^ = j3^ — j3^ 
and ||y - 5|U = P' - 13\ write \\x - z\\^-\\y - z\\^ = /J^-^ 
and express it using property ifTTll. 
When Oq < ctQ < a^, we can then show that it can be rewritten as 



Qq 



ha-, + ay + J2\^y\ + py-J2\ 



and, using l |12[ l, that 



/3" 



+ /3^ 



(13) 



When Qq < chq, and 7(4) and j{y) are in generic positions, 
then Qg — Ei<i l^^f I ~ P^ is the minimum of "/(x) U "/{y), and 
QfQ + X^j<i laf I + /3^ its maximum. So a^ is indeed the center of 
'y{x)Uf{y), and the concretization of z thus defined is the minimal 
possible, that is ^{x){J'y{y). The proof is of course symmetric when 
a^ < ag. 

Now if 7(4) and 7(2/) are not in generic positions, and for 
instance here 7(i) C 7(1/), then we can use Oq + X]i>i lo^fl + 



/3^ > ag + 5I^j>i JQf i + /S'^in 1 13 1 to deduce ag > "0 and ag 



E,>i |af I - r > ag - E,>iKi - /?" in |T3f to deduce ag > 
Oq, which is not admissible. So z given by af — argmin 

|a| is not a minimal upper bound in the non generic case. In order 
to have minimal concretization, we must have ag — mid{'y{x) U 
7(y)) = "o' and 

ag + ^|a^|+/?^=ag + Elafl+/3^ 



which can be rewritten 

\\4L = \\y\\L + P'-/^' = \\y\\L-\\y-4i.' 

equivalent to l |10[ ). The proof and conditions are of course symmet- 
ric when j{y) C 7(3;). □ 

Note that, as we will show in Section[T6] the join operator thus 
defined is not associative in the non generic case. What's more, 
as we will see, the affine form obtained by two successive join 
operations may not even be a minimal upper bound of the three 
joined affine forms. In Section, |3.6[ we will thus introduce a first 
(associative) wideningjof this join operation, which we will use to 
define a partial order. 



^^ This is a slight abuse of notation here: we do not have in general the finite 
chain property, but a similar one, in our framework (convergence in a finite 
time, in finite arithmetic). 
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3.5.2 The meet operation 

If (Ai , <) admitted binary least upper bounds, then we would have 
a Riesz space, for which xnj/ would be defined as — {{—x) U (—J/)). 
Here, we have a different formula, linking n with U in some inter- 
esting cases. Intersections will produce negative (3 coefficients, 
where unions were producing positive 13 coefficients. 



formula of Proposition |26| for the join operator, to compute zVJ x 
and zVJy.lX is easily seen now that for uv > 0, and w. 



(14) 



Lemma 27. For all X, y in Ai, there exist maximal lower bounds 
(or mlb) zofx and y if and only if 

l|y-i|U>l/9^-/?1. 

They then all satisfy (for all i > 1): 

r = ^(/3^+/3"-iij/-xiu) 

Sketch of proof. Being a lower bound of x and y means: 

< /3" - /3" 



/3" 



y\\A < 0'-l3' 

Summing the two inequalities, and using the triangular inequality: 

\\y-x\\^ < ||2:-y||^ + ||2:-a;||^ 
< /?=" + /J" - 2/3^ 

Hence /3^ < | (/3^ +/3'' — ||y — a;||^) giving an upper bound. 
As we want a maximal z, the natural question is whether we can 
reach this bound. This is the case when the triangular inequality 
for £i norm is an equality, which is the case when af A aj < 
cti < af V of . A solution exists to these constraints only if ^I4| is 
satisfied, as for the proof of Proposition|20| D 

Contrarily to the join operators, we cannot in general impose 
(even in generic position) for a mlb z to have a given concretization, 
such as ^{x) n 7(y), or even a smaller value, such as the interval 
that contains all values that x{ti, . . . , Ux) and x{ti, . . . , Uy) share 
for some ti, . . . , Ux,Uy £ [—1, 1]. 

Example 28. Consider x = 1 + £i — 2e2 C [-2,4] and y = 
2 + 2ei + £2 C [—1,5]. They are in generic position. Then z is 
a mlb with concretization 7(0) = 7(3;) H 7(2/) = [—1,4] if and 
only if z = 1.5 + aei + be2 — §£[/, a + fe = 1, a + ]&] = 5, 
— 2 < 6 < 1 and 1 < a < 2. Suppose b is positive, then we want to 
have + 6 = 5 and a + b = 1, which is impossible. So b is negative 
and we want to solve a — b = 5 and a + b = 1, therefore, a = 3 
and b = —2, which is impossible because we precisely asked bfor 
being positive (and a to be less than 2). 

In some cases though, such mlb operators exist and we can give 
an explicit formula: 

Lemma 29. In case x and y are in generic positions, fMi is 
satisfied, and ci^ctf > for all i > 1, there exists a maximal 
lower bound z with 7(2) = 7(0;) Pi 7(2/), given by the formulas: 

• ag = mid (7(^)07(1/)) 

• af = argmax \a\ for alii > 1 

In this case, we have: 



X n y + xU y ■ 



y 



(15) 



Proof. The formula for f}" is given by Lemma [27] The fact that 
the concretization of z is 7(2;) H 7(y) implies the formula for Oq. 
The formulas for af , J > 1 can be checked easily as follows: 
as 7(1) and 7(y) are in generic positions, 7(3;) n 7(2/) and 7(2;) 
(similarly with j{y)) are in generic positions. Thus we can use the 



argmm 



argmiix |a|Alt<a< argmax |a|Vlt 

uAu<c.<uVii i»Au<Q<,iVii 



- argmm 



argmm 

argmax |Q|Ai;<a< 

LtAii<Q<iiVi; It/- 



jaj — argmm \a\ 



Hence af"" = af and af^" = af for alH > 1. 

Furthermore, j{z U y) = 7(y) and 7(2 U x) — "fix) hence 
a^'~'^ = a" and a^'^^ = a^. Finally, again because of this equality 
and concretizations, and that all coefficients but f]^^^ (respectively 
l^^'-'yy have been shown equal to the ones of x (respectively y), we 
have necessarily that Z?^^"" = /S"" (respectively /3^^^ = P^). 

Therefore x = zU x > z and j/ = zU2/>2sozisa lower 
bound of x and y. Because of the value of (3", by Lemma [27| and 
[T8](adapted to mlbs), z is an mlb (with the right concretization). D 

3.6 Quasi bounded completeness 

We prove that we have almost bounded completeness of Ai. Unfor- 
tunately, as shown in Example |31| this is barely usable in practice, 
and we resort to a useful sub-structure of Ai in Section[3J](in par- 
ticular, with a view to SectionHl. 

Proposition 30. (Ai,<) is a quasi bounded-complete par- 
tial order (or is quasi- "Dedekind-complete"), meaning that any 
bounded subset A of Ai such that for all x, y in A 



has a minimal upper bound in Ai. 



(16) 



Sketch of proof. 

Let 2 be an upper bound of all ai G A. This means again, for 
all pairs i,j that 

/3^>^(l|a>-«.IU + /3"'+/3''0 

We can always suppose that b — a^ + f3''eu- As b dominates all 
cii £ A, we have, using the triangular inequality: 

l|aj-aj||,4 < Iki -&IU + II^-«jIIa 
< 2(3'' - (3"- - P"^ 

so /3^ > /S*. This means that we can write: 

r=\nf|i(]|a,-a,]|_4+/3"'+/3"0| 

which exists in R. Similarly to the proof of Proposition |20[ condi- 
tion[T6]allows to prove existence of a solution to the mub equations. 

D 

Unfortunately, even if we pick one of the possible join oper- 
ators, they are not in general associative operators, which means 
that even for countable subsets yl of Ai, according to the iteration 
strategy we choose, we might end up with a non-minimal upper 
bound. 

Example 3 1 . Take 

( X = 1 + 2ei - £2 + 2e3 
< y = £1 + £2 + £3 

[2 = 5 + £1 — 2£2 

When computing with one of the possible join operators previously 
defines, we obtain 

( {xUy)Uz = 2 + £1 +&i£2 + 0.5(7.5 + ai + 61 +ci)£c/ 

< {yUz)Ux = 2 + £i+5£!7 

[ {xUz)Uy = 2 + £i+62£2 + (0.5 + /?2)£3+4.5£c/, 
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with ai - 61 +ci = 2.5, 1 < ai < 2, -1 < &81 < 0, 1 < ci < 2, 
and-1 < 62 < 0. 

We see on this example that, in the case where all concretiza- 
tions are not in generic positions, the join operator is not as- 
sociative. Moreover, the result of two successive join operations 
may not be a minimal upper bound of three affine forms because 
we do not always get the same (3 coefficient (5 when computing 
(^ U z) U X, and 4.5 when computing (x U z) U y). Indeed, we have 
here (xVJ z)\J y < [yVJ z)VJ x when —0.5 < 62 < 0. 

We fix this difficulty in next section. 

3.7 A bounded lattice sub-structure 

In practice, we obtain a stronger sub-structure by using a widening 
instead of the minimal upper bound: 

Definition & Lemma 32. Wfe define the widening operation 
z = £Vy by 

• all =mid(7(:r)U7(y)) 

• af = argmin \ot\ for alii > 1, 

• 13'' =sup7(xUj/) -ao - \\A\l 

In the case when x and y are in generic positions, V is the union 
defined in Section \3.5.1\ Otherwise, a;Vj/ has as concretization the 
union of the concretizations of x and y, it is an upper bound of 
X and z (but it is not a minimal upper bound with respect to <, 
because (3" is not minimal). 

This operator has the advantages of presenting a simple an 
explicit formulation, a stable concretization with respect to the 
operands, and of being associative. 

Definition & Lemma 33 (computational order). Let < be the 
binary relation defined by: 



Then, <C is a partial order. 



y 



Sketch of proof. Reflexivity comes from xVx = x. Antisym- 
metry is trivial. Transitivity comes from the associativity of V. D 

Lemma 34. x <^ y if and only if: 

• 7(2^) ^ 7(y) i^nd 

• for aH i > 1, < a^ < af or af < a^ < 

Sketch of proof. The first condition ensures that Qq^^ = 

a^ and P'^'-'^ = (3^. Take i > 1. If afa^i < then because 

argmin |a| — a^, a^ has to be zero. Otherwise, this 

translates precisely to the second condition. 
Definition 35. We define operation z — xAy by 

• ag = mid (7(^)07(2/)) 

• af = argmax \a\ for all i > 1, if ctfa^ > 0, 

Otherwise a^ — 

• /3^ =sup7(xny) -ao - INIIl 

Proposition 36. (Ai, <C) is a bounded complete lattice, with: 

• V being the union, 

• A being the intersection. 

Sketch of proof. Easy verification for the binary unions and 
intersections. Take now yl C Ai and h such that b > A. Then 
lio) ^ 7(^) for all a £ A, so I = Ua6A7(a) has finite bounds. 
This gives us ao = mid{I). 



Consider now any countable filtration of A by an increasing se- 
quence of finite subsets Ak, k G K, and consider a^ — UAk 
any minimal upper bound of Ak. We know that | q"'' | is a de- 
creasing sequence of positive real numbers when k increases, so it 
converges. We also know that the sign of q"* remains constant, so 
a"*" converges, say to Oj. Last but not least, let /3 = '^"^ ^'" 

ao - Y^°Zi I "i I' ws arg"^ that ao + I]^i ctiSi + f3eu is a 
minimal upper bound of A in Ai . D 

This allows to use V (and A) as effective widenings during the 
iteration sequence for solving the least fixed point problem. 

4. Iteration schemes and convergence properties 

This is where all properties we studied fit together, to reach the 
important Theorem [41] stating good behavior of the Kleene-like 
iteration schemes defined in Section |4~2l First, we show that we 
must improve the computation of the abstract semantic functional, 
between two union points, this is explained in SectionHTl We also 
improve things a little bit, on the practical side, by defining new 
widening operators, in Section [4!4| 

4.1 The shift operator and the iteration scheme 

One problem we encounter if we are doing the blind Kleene itera- 
tion in the lattice of Proposition|36] is that we introduce eu coeffi- 
cients, for which the semantics of arithmetic expressions is far less 
well behaved than for "ordinary" noise symbols Si. 

Example 37. Let us give a first simple example of what can go 
wrong. Consider the following program: 

F(real a) { 
real x ; 

X = input (-1,1) ; [1] 
while (true) 

X = x-a*x; [2] } 

Suppose that a can only be given values between (strictly) and 
1, then it is easy to see that this scheme will converge towards 
zero, no matter what the initial value of x is. As the scheme is 
essentially equivalent, in real numbers to Xn+i = (1 — a)Xn, with 
|1 — a| < 1, a simple Kleene iteration scheme should converge. 
Let us look at the successive iterates Xi at control point [2], of this 
scheme. First, note that a^i+i = e\Sl (xi—axi) (or equivalently 
Xi+i = Xi\7{xi—axi) starting with xq = ei), where £1 stands for 
the noise symbol introduced by assignment at control point [1]). 



XI 
X2 
X3 



ei 
(1 



a)ei + aeu 



eiV ((1 — a) ei + aeu~a ey) 



= £iV {{l~afei+a{l + a)eu) 



because the semantics of — on ejj symbols cannot cancel out 
its coefficients a priori. We will see a bit later that under some 
conditions, we can improve the semantics locally. 

To carry on with this example, let us particularize the above 
scheme to the case a = | .• 



X3 = ei^ (16^1 + 16^C/) 

We already see that the concretization ofxz is bigger than [—1, 1] 
showing loss of precision, even to simple interval computations. 
The next iterations make this interval grow to infinity. If we could 
have written 

(17) 

instead of 



Xi+i = ei\7{xi — axi) 
Xi+i = £i\/{xi—axi) 



(18) 
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the iteration sequence would have been convergent. We are going 
to explain that we can make sense of this. 

We first introduce a shift operator, that decreases the current 
abstract value. 

Definition & Lemma 38. Lef £ = ag + 5I!^i o^f e^ + P'^su- 
Define, for x with finitely many non-zero coefficients: 

!* = qS + E^^i «f e. + r £/ 
where Ef is a "fresh" symbol. Then for all x G A+, \x < x. 

The idea is that, after some unions, during a Kleene iteration 
sequence, such as right after the union in semantic equation [Ts] of 
Example |37[ we would like to apply the ! operator, allowing us to 
get an equation equivalent to \ll) . 

The full formalization of this refined iteration scheme is outside 
the scope of this paper. It basically relies on the following observa- 
tion of our abstract semantics: 

All concrete executions of a program correspond to a unique 
choice of values between -1 and 1, of ei, ...,€„,■.. ,£u (for all 
join control points). 

Hence, locally, between two join control points, eu coefficients 
act as normal Si coefficients. Hence one can use ! to caiTy on the 
evaluation of the abstract functionals after each control point where 
a union was computed, corresponding to a branching between sev- 
eral concrete executions. 

Example 39. We carry on with the example \37\ We use now the 
new semantic equation: aii+i = £\'^ {}.Xi—a\Xi). Therefore, the 
successive iterates, for ts = | are: 



Xl = £l 

1 
X2 

X'i = eiV 



£iV(3^ei + f^e2) 



.£2) 



where £2 =\£u in the last iterate. Therefore, X3 = jgSi + igSc/- 
The successive iterates will converge very quickly to a; 00 = £u with 
concretization being [—1, 1] and no surviving relation. 

4.2 Iteration schemes 

As we have almost bounded completeness, and not unconditional 
completeness, our iteration schemes will be parametrized by a large 
interval /: as soon as the current iterate leaves /, we end iteration 
by T (that we can choose to represent by ooeu by an abuse of 
notation). The starting abstract value of the Kleene like iteration 
of Definition |40] is as usual _L, that, in theory, we should formally 
introduce in the lifted domain of affine forms (but that, by an abuse 
of notation, we can represent by —ooeu). 

In order to get good results, we need in particular cyclic unfolds. 
They are defined below: 

Definition 40. Let i and c be any positive integers, U be any of 
the operators U (for some choice of a mub), or V. 

The (i, c,U)-iteration scheme of some functional F : Var -^ 
War is as follows: 

• First unroll i times the Kleene iteration sequence, starting from 
_L, i.e. compute x\ — i^'(_L). 

• Then iterate: x„+i — x„ U F'^(J.Xn) starting with n = 1. 

• End when afixpoint is reached or with T if'y(xn+i) % I. 

Note that initial unfolding are important for better precision but 
will not be used in the sequel. 



4.3 Convergence for linear recursive filters 

We prove that our approach allow us to find good estimates for the 
real bounds of general affine recurrences (i.e. linear recursive filters 
of any order), see Section[Z2] The only abstract domains known to 
be able to give accurate results are the one of 1 3 1, which only deals 
with filters of order 2, and the one of 1 17 1, which is specialized for 
digital filters (which is not the case of our abstraction). 
We consider again the class of programs of Section[2!2] 



Theorem 41. Suppose scheme HI has bounded outputs, i.e. the 
(complex) roots of x^ — X]r=o '^s+i^;' have module strictly less 
than 1. Then there exists q such that the (0, q, 'Sj) -iteration scheme 
(see Section ^~2\ converges towards a finite over-approximation of 
the output. 

In other words, the perturbed numerical scheme solving the 
fixpoint problem is also bounded. 

Sketch of proof. Being a fixed point of abstract functional F 
(giving the abstract semantics of the one iteration of the loop) 
means 



Xk+n+l 
X„ + l 
X„ + 2 



= Xn + iV f I]"^i CliXk + z + I]"=i bjCk+j 

= j:iVa::2V . . . Va;„Va;fe+„+i 
= X2V ...\7x„\7xk+„+i 



Xk + n — Xn^Xk + n+l 

Define 

yi = Xn 

2/2 = a;„_iVa;„ 

j/„ = XxVx2V ■ . .x„ 

Vn + l = X„ + l 

Then the fixpoints of F are determined by the fixed points z: 

/ n n+1 \ 

z = Xn+iV I '^ai(y„+i^i'Vz) + ^ bjCk+j . (19) 
\i=i j=i / 

Suppose first that X]r=i l"»l ^ ^- Consider now the interval 
fixpoint equation resulting from lfT9l. As 7 commutes with V, by 
definition, and because of Lemma|7| it transforms into 

■y{z) C 7(a;n+i)U (Er=i(«i7(yn+i-0U7(^)) 
+ E"=i fej7(efc+j) 

This equation shows that 7(2) is a pre-fixpoint of the interval 
abstraction of our linear scheme. It is well known that in the case 
X]r=i l*^'! ^ ^' '^^'^ interval abstraction admits a bounded least 
fixpoint z^ . Hence, z in this case is bounded by z'' (for order <, 
when z^ is written as mid{z^) + dev{z^)£u, with dev{[a, b]) = 
^^), hence has finite concretization. In fact, not only z but all 
the ascending sequence of the (0, 1, V) -iteration scheme from _L is 
bounded by z^ . Note that any ascending sequence for any (p, q, V)- 
iteration scheme is also ascending for the partial order <C. By 
Proposition |36| it has a least upper bound, which is the least fixed 
point of F for partial order <C because of the obvious continuity 
(in the li sense) of F. Hence again, this fixed point is bounded by 
z^ so has finite concretization. 

Secondly, if the roots of x" — ^"=0 o,i+i-^^ have module 
strictly less than 1, then there exists q such that F'' is a filter of 
order nq in the inputs e, and n in the outputs with coefficients 
Cj, j — 1, . . . ,n such that ^"=1 l^il '^ strictly less than 1. One 
can check that the semantics on affine forms is exact on affine 
computations (because of the use of the shift operator). We can 
then apply the result above to reach the conclusion. D 
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More generally, and this is beyond the scope of this article, we 
can show that there exist (i, q, V)-iteration schemes that will come 
as close as we want to the exact range of values that x can take. 

Example 42. We carry on with ExampleU] We see that matrix A 



in our case is 



A = 



1 

-0.7 1.4 



and of course, the li norm of the rows of A is bigger than 1. 
Iterating A, we see that: 



A^ = 



-0.5488 0.2156 
-0.15092 -0.24696 



is the first it erat e of A with £i norm of rows less than 1. We know 
by Theorem 41 that a (0, 5, 'sj) -iteration scheme will eventually 



converge to an upper approximation of the invariant (which we 
can estimate, see Example^ to [-1.12124069. ..,2. 82431841...]). 
Here is what (0, i, '\J)-iteration schemes give as last invariant and 
concretization, when i is greater than 5 (rounded, for purposes of 
readability): 



i 


invariant 


concretization 


5 


0.8333-^-2.4661 eu 


[-1.6328,3.2995] 


16 


0.762U2.06212eu 


]-1.3,2.8244] 



Note that although the convergence to this invariant is asymp- 
totic (meaning that we would need in theory an infinite Kleene iter- 
ation to reach the invariant), in finite precision, the limit is reached 
in a finite number of steps. In the case of the (0, 16, \/)-iteration 
scheme, the fixpoint is reached after 18 iterations. In some ways, 
we have replaced the numerical scheme (a filter of order 2 here), 
by an abstract numerical scheme which has similar convergence 
properties, and can be simulated in a finite time and in a guaran- 
teed manner, accurately. We can also use extrapolation or widening 
techniques, for which we will show some results in Example \44\ 

Note also that none of the noise symbols survived in the final 
invariant: there is no dependency left with the successive inputs, 
when looking at the overall invariant. This is very easily shown 
on the first few Kleene iterates already. We denote by Xi the affine 
form at control point ]2], yt the affine form at control point ]3], 
at iteration i, for the (0, 16, \/)-iteration scheme. We have (as 
produced by our prototype implementation): 

xi = 0.8808 + 1.8593e!7 

yi = 0.8808 -\- 0.01038ei + 0.0429^2 + 0.0369£4 + ■ ■ • 

+0.1052e2i + 0.2046e23 + 0.2589e25 + 0.2254e27 

+0.08l£29 - 0.16631 + 0.35e33 
X2 = 0.8422 + 1.9407ec7 
f 3 = 0.8323 + 1.9688e[/ 

Finally, you should note that Theorem \41\ is not limited by any 
means to finding invariants of such filter programs with indepen- 
dent inputs, or independent initial conditions. For instance, if all 
the inputs over time are equal, but unknown numbers between 
and 1, the final invariant has concretization [-0.1008,2.3298]. 

4.4 Simple widening operators 

We can define numerous widening operators, among which the 
following: 

Definition & Lemma 43. The operator W defined by z = 
xWy such that 

• al = mid (7(f) U7(y)), 

• af = af = aj' for all i > 1 such that af — a\, 

• af = Qfor alii > 1 such that af 7^ a^. 



• /3" =sup7(xUy)-a,1- H^H^ 

gives an upper bound of x and y that can be used as an efficient 
widening. 

Example 44. Now we are carrying on with ExampleU] but this 
time we apply the widening defined above after 1 normal iteration 
step. For i equal to 5, fixpoint is reached at iteration 9, and for i 
equal to 16, it is reached at iteration 4, with precision equivalent 
to the case without widening. This time, convergence is reached 
in finite time, by construction (and not because of "topological " 
convergence). 

5. Directions currently investigated 

We discuss in this section very promising improvements of the 
above schemes, which we feel are important to mention here. But, 
as they are not fully formalized yet, we mostly demonstrate them 
on examples. 

5.1 Iteration strategies for a refined join operation 

As we introduced (Definition |38| the possibility to shift the union 
symbols to "classical" noise symbols in the iteration scheme, it be- 
comes important to create as few union symbols as possible, in 
order not to lose relations. This can be partly solved by an adapted 
refined iteration strategy : when there is a cycle of explicit depen- 
dency between variables, make the union only on one variable and 
apply immediately the shift operator of Definition [38] before this 
union is propagated to the other dependent variables. 

Example 45 . Consider the following program, implementing a 
second-order filter (where xnpl stands for Xn+i, xn stands for x„ 
and xnml stands for Xn-i): 

real xnpl, xn, xnml ; 
xn = [0,1] ; 
while (true) -[ 

xnpl = 1.2*xn - 0.8*xnml; 

xnml = xn; xn = xnpl; } 

In this program, we have x^ = 3:^„_i. where k is the current 
iteration of the loop, so it is clearly a bad idea to make unions 
independently on Xn and x„-i. 

Before the loop, x^ = 0.5 + 0.5ei, and after first iteration of 



the loop, x^-\ = 0.5 + 0.5ei, 



0.6 + 0.6£i. 



Applying the classical join operations to x„ and x^-i at the 
beginning of the loop after first iteration gives x\ — x%\J x}^ = 
0.6 + 0.5£i + Q.leu, xi^i = x°_i U = 0.5 + 0.5eLr. 
Then, after applying the shift operator (with a new symbol £2 for 
x„, and a new symbol £3 for x„_i), we get x„ = a^n+i = 
0.32 + 0.6£i +0.12£2-0.4£3, anrf7(f^) = [-0.8,1.44]. 

Then xl = x^u!(x^) = 0.32 + 0.5£i + 0.l£2 + 0.52£c/, 
a;^_i — a;^_iU!(a;^_.i) =\{Xn)yj\{Xn^x) — 0.6 + O.&eu, and 
after applying a shift that creates new symbols £4 and £5, we get 
xl = xl+^ = -0.096 + 0.6£i + 0.12£2 + 0.624£4 - 0.48£5 and 
7(4) = [-1.92, 1.728]. 

Of course, in practice, cyclically unrolling the loop allows to 
care with the bad behavior of the scheme, but it is better to refine 
as well the iteration as follows. 

Applying the join and shift operations on x„ only, we write 
xi ^\{x'iUxi) = 0.6-\-0.5ei-\-0.1e2, and xl = 0.32 + 0.2£i + 
0.12£2 , and -yixl) = [0,0.64]. 

Then xl =\{xi U xl) = 0.6 + 0.2£i + 0.l£2 + 0.3£3 and 
xl =0.24-0.16£i+0.04£2+0.36£3, 7(:r^) = [-0.32,0.8]. 

We dealt here with an example where the dependencies between 
variables were explicit, but we can also generalize this and intro- 
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duce symbols to explicit and preserve implicit dependency, as in 
Example|46| 

Example 46. Take the fallowing program: 

real x,y; 
X = 1; y = 0; 
for (x=l; x<=10000 ; x++) 
y = y + 2; 

If we apply standard union, we get far example after fast iteration, 
union and shift : x = 1.5 + 0.5ei and x = 1 + £2. 

We can not use the above strategy for using union on one 
variable only, because variables x and y are no explicitly linked. 

Still, we can obserx'e that, before or inside the loop, x and y 
are always such that y = 2x — 2. So, in order to construct a 
joint union on x and y that preserves this relation, we can just 
use union and shift on x (x^ = 1.5 + 0.5eij, and then simply 
deduce y by y = 2a; — 2 = 1 + ei, thus expressing relations 
that will be usable in farther computation. And of course the same 
operation can be repeated again for the following iterations of the 
loop, as affine relations are preserved by ajfine arithmetic : here 
x'^ = x^ + 1 = 2.5 + 0.5ei and y^ ^ y^ + 2 ^ 3 + ei, we still 
have f = 2x^ - 2. 

And indeed, for practical realization, when making unions over 
a set of variables, it is easy for example to consider couple of 
variables, and fast investigate whether or not they satisfy the same 
affine relation on the two states, and if it is the case propagate the 
union over one variable on the other. 

5.2 Refining again tlie join operator for disjunctive analysis 

Example 47. Take the following program: 

real x,y,z; 

z = [0,1]; 

if (z < 0.5) { 

X = 1; y = -1; }■ 
else { X = 0; y = 1; } 
if (y > 0) 

X = X + y; 

The result for x of the execution of this toy example, is always 
X = 1, whatever z £ [0, 1]. 

Expliciting the dependency between x and y (we can always do 
so with constants) : in the two branches taken after the fast test, we 
have y = —2x + 1, then we write x = 0.5 + 0.5e2, and y = —£2 
after joining the results from the two branches. Then, interpreting 
test [y > 0) leads to add constraint £2 < 0, but this is not enough 
to deduce x — 1. 

Then, we can note that for example x = 0.5 + 0.5£2 should 
denote a disjoint union of two values 1 and 0, thus in this case 
symbol £2 no longer takes all values in [—1, 1], but only the two 
values -1 and 1. Then, when test (y > 0) is true, then £2 = — 1, 
X = 0.5 — 0.5£2 = 1, and when it is false, then x is naturally equal 
tol. 



6. Conclusion, Related and Future Work 

We have proved that our abstract domain behaves well for an 
interesting class of numerical programs. More work has yet to be 
done on the formalisation of the shift operator (SectionHTl and on 
more general schemes, such as some non-linear schemes of interest. 
Many questions arise also from this work. For instance, can we 
replace affine forms (but eu) by higher-order Taylor models? 

Also, most of our proofs only rely on the general properties 
of norms, and not specifically on £1. What do we get with the 
Ip norms, and in particular with the standard Lorentz cone, when 



considering ^2? Many techniques are available here that could help, 
in particular the techniques of Second-Order Cone Programming. 

Our main convergence result (Theorem |41|( can be recast as a 
fixpoint property of some general (min, max, +) functions. Can 
we use policy iteration techniques |8 10| to help solve these? Last 
but not least, PropertyfTSlrings a bell and looks like phenomena ap- 
pearing with spectral measures (measures with value in a Banach 
space). Is this also generalizable to affine forms where Si are ran- 
dom variables of some sort? 

Acknowledgments are due to Stephane Gaubert for interesting 
remarks during an earlier presentation of these results. 
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